A recent Java update to Java 8 build 131 changed what Java would accept as a “signed” JAR app. Specifically, any JAR signed with an MD5 hash will no longer be considered trusted, as the MD5 hash is now considered to be weak.
This change results in applications refusing to run with an error message like:
preloader: Delivering: ErrorEvent[url=https://XXXXX label=attempted to open sandboxed jar https://XXXXX/.jar as a Trusted-Library cause=attempted to open sandboxed jar https://XXXXX/.jar as a Trusted-Library
This occurs when the site delivering the applet is signing it with an MD5 hash. I’ve seen reports of the PulseSecure PCS and Cisco ASA doing this with the HOBsoft HOBlink Java RDP client, meaning that users are unable to securely access systems behind these devices.
PulseSecure have a workaround for their PCS –https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40580.
Cisco do not currently have a solution.
The simplest workarounds are:
a) downgrade to an earlier release of Java, or
b) re-enable MD5 hash as an acceptable cipher.
Here’s how to do the latter on Windows and macOS (OS X). It involves editing the “java.security” config file which the Java Virtual Machine uses.
Windows (tested on Windows 10)
You will need local administrator access for this.
Close browsers and any Java apps
Open CMD as Administrator
cd "C:\Program Files (x86)\Java\jre1.8.0_131\lib\security" notepad java.security
(The path may be C:\Program Files\Java\jre1.8.0_131\lib\security if you run the 64-bit Java)
Current Line:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
Change this to:
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
(i.e. remove the “MD5,”)
Save the file
macOS Sierra (Mac OSX)
cd /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security sudo vi java.security
Enter your password at the prompt so that you can edit the protected file.
Type “/jdk.jar.disabledAlg” to find the relevant line.
Current Line:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024Change this to:
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024(i.e. remove the “MD5,” – use the cursor keys to move to the “MD5,” and press “x” to delete each character)
Save the file by holding down SHIFT and pressing “Z” twice.
Caveat: This workaround is disabling a security measure within Java, so should be considered a risk. However, the risk is only the same as the previous version of Java, and I would assume vendors will eventually update their systems so that they sign Java applets in a secure fashion.
This works with later versions of Java as well. I’ve tried it up to Java 8 Build 161. You do have to repeat the change after each upgrade though as it restores the MD5 text.
Thank you very much. it helped me.
Thank you for this post! I spent two days searching for a solution. The MAC solution also worked for Elementary OS 0.4.0 Loki.
Thank you very much, this really helped me.
Thank you so much!!! Helped me get into an old system with the least amount of trouble.
Thank you for this – trying to do this on a Mac. What program do I open to run the original command? Thanks
Hi Sarah – You’ll need to run that command in Terminal on the Mac.
When editing the file in “vi”, use “x” to delete a character, “i” will let you insert, and the “Esc” key will exit “insert mode”.
Alternatively, use “sudo nano java.security” instead to use the more user friendly “nano” editor.
thanks! very helpfull!
Thank you very much! It is really very helpfull!!!
You are amazing!
Wonderful 🙂
Thank you very much! This fix works also when using openJDK on linux.
Finally found the fix I was looking for! Thanks.
Thanks so much! This worked on my Windows 10 machine. This was getting very frustrating.
Awesomeness! This is still valid. Supermicro Remote Console is behind the times. Access was denied until I tweaked the file based on your recommendation.
Thank you!
Thank you very much this helps…
Thanks. Worked for me!
Obrigado! Ajudou muito!
Thanks but that doesn’t work on JRE 8 update 181 any other ideas appreciated.
Thank you so much! Very helpful